If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Odd Firewall Recomandations Needed.

Well all, I have one more project I am looking for recommendations for. I need a firewall, priced up to $3500 which will do the following:

1. Accept two incoming connections (do not need to be physical, I can use a hub).
2. Can connect each connection to the respective internal network.
3. VPN Capable.
4. 5.5 mbps 3DES Throughput minimum.
5. Does not need outbound traffic load balancing. Primary worry is inbound.

Basically, I have three networks and several users outside of my primary location (outside = 2/27 [30u], 3/27 [20u], 4/27 [15u] & users; inside = 1/27 [30u] & 5/27 [30u]). Each outside connection has a VPN tunnel to each of the inside connections. The outside units each have a SonicWALL SOHO3. Inside we have two SOHO3s. I primarily want to have better throughput, records and management. The system rarely drops bellow 3.5 mbps needed throughput.

I was told using a hub and a Cisco PIX-515E-R would work. I was also to Checkpoint would require an unlimited IP license to do this, pricing it well out of reach. Are there any other options?

Originally posted here by Scatman420 My recommendation would be to get that cisco router. But instead of using SOHO, set up VLAN connections with your outside sources. This would create better through put.

Also, in regards the firewall. Set up an extended ACL(access list) on the router. This proves to be very efficient in most VLAN set-ups.

Just a suggestion.

Scat

He needs a firewall, not a router. And you can't setup VLANS on a router to my knowledge, they are configured on switches. NoTx- Im trying to remember the name of a comnpany that makes a product that should suit your needs. I'll get back to you on it.
-NeuTron

Originally posted here by Scatman420 My recommendation would be to get that cisco router. But instead of using SOHO, set up VLAN connections with your outside sources. This would create better through put.

Also, in regards the firewall. Set up an extended ACL(access list) on the router. This proves to be very efficient in most VLAN set-ups.

Scat

Ok. You lost me. What router? And how do you setup a vlan to remote locations bypassing their firewalls?

Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson

Originally posted here by NoTx Will the 515 really accept (via hub) two seperate connections to the internet (seperate WAN connections)? As I have been told?

You can certainly connection multiple WAN connections with the use of a hub or switch, but the bigger question is how the Internet connections will be used. Are they both going to remain active simultaneously? If so, you will have trouble with routing because you have no way to distinguish one default routing path from another. The solution to this is to use BGP, but it doesn't sound to me like this is the case. If they are simply for redundancy purposes, you could certainly use weighted statics to get the job done. Also, if these are strictly for VPN connectivity, you should be OK as well.

As far as a recommendation, it really depends much on how much you plan on managing this firewall. If your config will be fairly static, I would suggest the PIX-515. However, if you plan on having complex policies or a very dynamic rulebase, the Checkpoint solution is definately the way to go. IMHO if you can afford it, Checkpoint is the better solution all-around because of some of it's optional features that can be expanded. Such as SecureClient for VPN's, which allows you to manage and enforce a personal FW policy on the remote users side. Checkpoint can definately get a little expensive though depending on the environment. The beauty of it is that CP runs very well on linux, so you have a very cheap hardware solution, and can just worry about the FW licensing.

CP licenses their software based on the number of protected hosts, or in other words the number of IP addresses on your network. If it is more than 250, I think you are forced to go with an unlimited license.

You can certainly connection multiple WAN connections with the use of a hub or switch, but the bigger question is how the Internet connections will be used. Are they both going to remain active simultaneously? If so, you will have trouble with routing because you have no way to distinguish one default routing path from another. The solution to this is to use BGP, but it doesn't sound to me like this is the case. If they are simply for redundancy purposes, you could certainly use weighted statics to get the job done. Also, if these are strictly for VPN connectivity, you should be OK as well.

I have one subnet using one and another subnet using the other (1/27 and 5/27). These are full time active, each at 2.5 mbps. A VPN connection is being sent to each subnet currently, would need that to remain the case.

CP licenses their software based on the number of protected hosts, or in other words the number of IP addresses on your network. If it is more than 250, I think you are forced to go with an unlimited license.

It is for an office with 5 Servers and 30 users. However, I was told by Checkpoint reps that because of using two external IPs I would require a Unlimited IP liscence... which costs more than all the machines in the office combined.

So there should be no problem doing this with the 515, though? Thanks for all your help!

NoTx....heres my recommendation...im assuming that your internet connections are dedicated serial connections, not DSL or Cable. If this is the case, then get rid of all the SOHO equip. get yourself a Cisco 2600 and purchase 2 WIC cards to be added into the 2600. You can run static routes to prioritize your outbound traffic and use BGP for your inbound traffice.
Then purchase a cisco PIX 515 to handle your security and VPN connections.

If you are looking more for redundancy of Hardware, you can purchase 2 cisco 1700s, a hub, and a cisco Pix. Again you will have to purchase the 2 WIC cards (one for each router), configure both of them for HSRP and BGP. The HSRP can monitor your main connection and if it does down, or if the router crashes, the PIX will redirect packets to the secondary router. Here are some links for you.